WeBWorK Main Forum

Enabling password authentication after LTI account creation

Enabling password authentication after LTI account creation

by Sean Fitzpatrick -
Number of replies: 9
All of our courses are set up with LTI integration through Moodle, with Moodle being the only authentication pathway for students.

This week Moodle is having... issues. Students aren't able to sign into Moodle consistently, so they can access WeBWorK.

Are there any issues that could arise if I change my LTI settings to allow:
(a) students to change passwords
(b) direct login using that password

I'd like to make sure that students can keep working while we get our LMS sorted out.
In reply to Sean Fitzpatrick

Re: Enabling password authentication after LTI account creation

by Alex Jordan -
I don't know Moodle, but I'm going to assume the situation is like it is with LTI through D2L. We have no problem with allowing both direct login and LTI access, as long as you take some precautions.

If LTI is initializing student accounts, their WW passwords are some random thing that never gets used. They are not used when the student enters WW from the LMS. So it won't hurt if they are changed.

However, students can't change them, because they don't know what they are in the first place. You can assign everyone a password though, and then let them know what it is. After that, they can change their password.

Or if the LTI wasn't initializing the accounts, then they have whatever password was originally used. Which defaults to the student ID unless you import the users with a password hash.

I believe there is some LTI setting you should watch out for, that resets everything when a student re-enters WW via the LMS. Don't let it do that ;)


In reply to Alex Jordan

Re: Enabling password authentication after LTI account creation

by Sean Fitzpatrick -
Thanks Alex. Of course I was forgetting that they need their current password to change it.
I'm not sure if their password is empty, or random.
But either way I'd need to assign passwords, and we're looking at around 1000 students in about 15 courses.
By the time I get things sorted I bet the issues with our LMS will be sorted out.
(They've cut off access from off campus to ensure exams running today using the LMS are minimally impacted. That means my students can't work at home unless they've installed the campus VPN, which most haven't.)
In reply to Sean Fitzpatrick

Re: Enabling password authentication after LTI account creation

by Alex Jordan -
Ah, I didn't realize the scale of things. There is a utility in the bin folder that can change a user's password. If you had some kind of organized list of user IDs and what courses they were in, you could probably rig up a way to use that utility to get everyone's password set. But that would still take some work.

I'm pretty sure the passwords are random, not empty. If they were empty, something special would need to be in place to prevent people from just logging in using an empty password. But also I've exported classlists before where student accounts were created through the LTI, and the password hashes were all different.
In reply to Alex Jordan

Re: Enabling password authentication after LTI account creation

by Sean Fitzpatrick -
Seems like IT has quietly re-enabled off campus access.
Right now my LTI settings forbid logging in with user name and password for student accounts.
So even if the password is empty people can't log in.

I'm going to leave things be since I'm not seeing any emails from students demanding extensions tonight.
In reply to Sean Fitzpatrick

Re: Enabling password authentication after LTI account creation

by Nathan Wallach -
If you use grade passback, then direct login will not permit students to access the assignments. You would need to turn off the grade passback, and then reenable it and use a mass-grade update.

If you are passing back assignment (and not course) grades, that would be dangerous, as the mass grade update might be incomplete as a student who only entered an assignment via the direct login would not have provided the LTI grade-passback URL for that assignment for their ID to WeBWorK, so their grade would not be resend to the LMS until the once did enter the assignment link from the LMS.
In reply to Nathan Wallach

Re: Enabling password authentication after LTI account creation

by Alex Jordan -
> If you use grade passback, then direct login will not permit students to access the assignments

This surprises me. I confess I've never tried as a real student. But with my instructor account, I regularly log in directly as well as log in through the LMS. And I don't run into issues accessing the assignments. Say, to go over a problem in class. And all the while, course level grade passback is active.

Or maybe the Moodle connection behaves differently than with D2L.
In reply to Alex Jordan

Re: Enabling password authentication after LTI account creation

by Sean Fitzpatrick -
I can log in directly as an instructor. So can TAs.
In authen_LTI.conf you can set permission level cutoffs for who can log in directly and who needs to use LMS authorization. Same with password change.
But it looks like Moodle is back under control here, so we're out of the woods.

And in any case, I think the amount of work involved in creating and disseminating temporary passwords to all students means we stick with LTI.

Thanks.
In reply to Sean Fitzpatrick

Re: Enabling password authentication after LTI account creation

by Danny Glin -
I don't think the combination of LTI and local password authentication has had much attention for exactly the reasons that have already been mentioned: the challenge of getting initial passwords to students, and the complications of grade pass back when students are sometimes logging in via something other than the LTI link.

I know at least several institutions are using LTI along with LDAP authentication, because then WeBWorK is checking passwords against an existing server, so it doesn't need to maintain local passwords. This has been working well for us here, but we aren't using grade pass back, so we don't have to worry about those complications.
In reply to Alex Jordan

Re: Enabling password authentication after LTI account creation

by Nathan Wallach -
Correction/clarification: The system only blocks access to an assignment when
  1. $LTIGradeMode is set to "homework", and
  2. $set->lis_source_did is "false" (was not set yet based on a successful access of the assignment by the user via LTI)
in which case $LTIRestricted is set to true:
  • lib/WeBWorK/ContentGenerator/ProblemSets.pm line 386 (the case of interest)
  • lib/WeBWorK/ContentGenerator/ProblemSet.pm line 184
When $LTIRestricted is true then the message
You must log into this set via your Learning Management System (e.g. Blackboard, Moodle, etc...).
is displayed and $setIsOpen is set to 0, except for users who have "view_unopened_sets" permission.

Once a student has once used the LTI link to the specific assignment, the direct login will also allow access to the assignment.

Since all my testing of this feature was with accounts which intentionally had not used the LTI link to the assignment, I did realize that once the first LTI access was successful, a direct login would allow access.

Anyway - for the sake of long term reference, anyone who needs a temporary solution to allow direct login access to WW and who was using "homework" grade pass-back would apparently need to:
  1. temporary disable the grade-pass-back to avoid students who did not access some assignment from being logged out, and
  2. enable mass LTI grade updates after the return to LMS use, and
  3. remind students to use the LTI homework links for any assignments whose scores did not transfer, once the course returned to LTI access (to set their $set->lis_source_did for the assignment).
Otherwise, some assignment grades would remain only in WW and not be sent to the LMS.